Computerworld - In my last look at Macintosh security, I wrote about the importance of configuring individual workstations to make their local resources and data more secure (see "To secure a Mac workstation, remember the users"). In this installment, I offer a look at additional ways to tighten security on workstations, from disabling peer-to-peer sharing to limiting SSH access and securing local NetInfo data.
Let's jump right in.
Concerns About Root-Access (SUID) Applications
Disabling root and securing sudo access (sudo is short for super-user do) will keep most users from gaining root access, but there is also the suid-root feature that is used by some applications. Suid (set user ID) allows an application to be designed so that it can run with permissions beyond that of the user who launched it, generally as root. The application itself may not run as root, but some processes that it requires may.
In itself, suid is not a bad thing. Many diagnostic tools (both command line and GUI) make use of it to function without requiring users to act as root. For some of them, such as Disk Utility, Classic OS operation or several installers, it makes sense that they would need or use suid. The problem is that a clever user with enough Unix development knowledge could turn this feature into a way to gain root access.
If possible, delete the applications or tools that use suid from a workstation. Where that isn't possible or would lead to problems with functionality or troubleshooting, limit access to them. You can do this using managed preferences, by setting permissions on the applications themselves, or by placing them collectively in a folder and securing access to that folder using permissions. You can find suid using the following Unix command:
find / -perm -4000 -user 0
For GUI tools, you will see the suid components listed within each application as part the .app directory:
/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
Limit Access to Cron
Cron can be used for attacking workstations or servers, either directly or through a virus or script. Cron can be set to perform any scriptable action, meaning if someone gains access to a local user account with any level of access, he can cause the Mac to perform some task at a later date (possibly on a repeating basis). This can actually mask a serious intrusion because you may not notice that the commands have been added.
On Mac OS X Server, this is a reason to periodically check existing crontabs for anything new or unusual. Since you
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
